Insightandperspectivesondevelopmentsinmergers+acquisitions

Regulators get serious about cyber-security

In a previous post, we discussed how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction. In this post, we discuss the ways regulatory bodies have begun managing these risks and the significance of these efforts to M&A participants engaging in substantial data asset transfers.

On February 18, 2016, the Investment Industry Regulatory Organization of Canada (IIROC) released its Compliance Priorities Report. Following this, in March 2016, the Ontario Securities Commission (OSC) released its Draft Statement of Priorities for 2016/2017. These reports, which constitute summaries of issues and action plans identified by the regulators, share a common focus on the systemic risks posed by insufficient cyber-security and recognize that our growing dependence on digital connectivity enhances exposure to cyber-attacks.

Cyber-security weakness at any level can jeopardize a company’s position during the M&A process. Information loss during or after transactions and data transfers can have dire effects on stakeholder interests. If legal responsibilities and data security problems are left unaddressed, issues such as damaged reputations or the forfeiture of customers and future sales can result is serious losses.

The OSC and IIROC are positioning themselves to take a central role in enhance cyber-security resilience by undertaking oversight initiatives to promote proper due diligence in relation to internal breaches and intrusions from external parties. The agencies hope to achieve this by:

improving collaboration and communication between parties;

assessing cybersecurity resilience through targeted reviews;

providing guidance on cybersecurity preparedness; and

publishing notices of participant and infrastructure oversight.

What then can participants in the M&A market expect? When dealing with public companies, participants should bring higher expectations, in terms of cyber-security, to the table. The standards that will guide these expectations are yet to be announced by regulators. However, even after regulations are put in place, acquirers should review all the work their targets have done to satisfy cyber-security requirements.

While regulators focus on establishing stable standards to enhancing cyber-security resilience amongst market participants generally, parties to M&A transactions can be diligent in safeguarding their own interests by:

identifying digital assets to be transferred;

backing up any data prior to transfer;

transferring legal ownership of data quickly; and

planning for continuity in the event of data loss.

These steps should be taken as early as possible in the M&A process. As secure data transfers have become particularly important, early communication of duties and responsibilities is the safest way to combat the threats posed by cyber-attacks.

The author would like to thank James Parker, articling student, for his assistance in preparing this legal update.

About

Norton Rose Fulbright's lawyers in Canada cover the full range of areas involved in deal-making. Our Deal Law Wire blog is about sharing our insights with you. From corporate law to cross-border, antitrust/competition, intellectual property, employment and labour and pension matters and more, our lawyers offer a Canadian and truly global perspective that few practices in the world can rival.